Daily Archives: January 16, 2010

Security Without Strategy = Chaos

Posted on by

Good security strategies help an organisation to have good security management and corporate governance of the organisation.  A security strategy linked directly to the wider strategy for the organisation provides direction, and a reference point to establish priorities.  Developing a good strategy and learning how best to implement it is crucial to successful security and good business.

Without a security strategy it will often not be clear how the security function contributes to the overall aims of the organisation.  Unsurprisingly then, security can be marginalised, or at least it does not fulfil its potential to generate competitive advantage.

Having a good security strategy in place can provide a range of benefits.  A security strategy can:

  • Provide stakeholders with a clear understanding of what your security function is trying to achieve.
  • Help in aligning the security function with business priorities to achieve competitive advantage.
  • Enable all staff to better understand why security is important and how it can add value.
  • Offer a framework to guide the direction of your security function, embedding security in all systems, procedures and processes.
  • Help you to be proactive in your response to security anticipating security issues.
  • Help you to review the performance of your security function and gain greater awareness of the challenges and risks you face.
  • Inform budget development and document the value security adds to an organisation.
  • Help to protect your organisation’s profit, reputation, brand, assets, customers, suppliers and employees.
  • Improve corporate resilience and sustainability.

Security leaders need to have at least a basic understanding of strategic planning, including its development and implementation.  Strategic planning is a fundamental element of successful companies and is a crucial part of managing delivery.

Small and mid-sized businesses face many of the same security threats and have the same security needs that larger companies have.  All need to understand and take into account the regulatory constraints, values, vision, goals, objectives, and operational parameters that the organization operates under.  You need a specialist to help protect your network.  You need someone that understands the infrastructure and someone that understands your servers.  Someone is required that understands the reason that your endpoints are configured the way that they are configured, and can offer guidance on updates and patches.  Unless you are extremely lucky and operate everything straight off the shelf and out of the box, you need someone that is familiar with your critical applications and the idiosyncrasies of your particular environment.  You will need someone on staff that can assess your environment for vulnerabilities, and someone to monitor the environment for unauthorized changes and threat activity.

While small and midsized businesses face many of the same issues as larger companies, they typically have smaller security budgets for hardware, software, services, or staff.  In some cases, the IT staffer in charge of security in a smaller organization is also responsible for most or all of the other aspects of the organization’s IT infrastructure and networks.

Unfortunately, the security market often focuses on the latest, most visible threat or hottest new technology.  Most security products have regular, large upgrades that sometimes are incompatible with earlier versions.  A lot of organizations simply cannot keep up the patch and update pace, and end up running their business with older versions of their security software, but continue to pay maintenance.  This allows them to realize only part of the potential of their existing IT budget.  The cost of the product is often only a fraction of the Total Cost of Ownership (TCO). 

One of the main 2010 goals for C-level IT execs will be to cut cost and reduce complexity.  Will that drive lead to better efficiency, or will it lead to vendor lock-in?  Simply reducing vendors has the risk of failing to balance cost, complexity and risk. 

Top Security Threats

For each of the past 14 years, making it the longest-running project of its kind in the security industry, the Computer Security Institute (CSI) and the FBI have conducted a survey of IT professionals regarding security. The CSI/FBI Computer Crime and Security Survey is based on responses from between 400 to 600 computer security professionals in the United States.  Nearly half of the respondents work for organizations with fewer than 1,500 employees.  According to the 2009 survey, the top security problems are:

  • Insider abuse of network resources, including use of the Internet for non-work related access or downloading unlicensed software.
  • Attacks from viruses, Trojans, or other malware.
  • Unauthorized access to computer systems.
  • Uncontrolled or unauthorized change.

These issues have topped the survey for the past five years – a good indicator that these areas deserve special focus from IT groups.  The survey also finds that the chief sources of financial losses are financial fraud, theft of proprietary information, virus attacks, and theft of laptops and other mobile devices.  Theft of proprietary information, which can be any type of intellectual property, is an especially insidious type of attack to defend against.  That’s because the attack may come not only from an unauthorized intruder, but from a legitimate insider – perhaps an employee who holds a grudge, is looking for illicit profit, or who maybe doesn’t realize intellectual property should not be taken to a subsequent job at a competing firm.

Other key findings:

  • Respondents reported big jumps in incidence of password sniffing, financial fraud, and malware infection.
  • One-third of respondents’ organizations were fraudulently represented as the sender of a phishing message.
  • Average losses due to security incidents are down again this year (from $289,000 per respondent to $234,244 per respondent).
  • 25% of respondents felt that over 60% of their financial losses were due to non-malicious actions by insiders.
  • Respondents were satisfied, though not overjoyed, with all security technologies.
  • Most respondents felt their investment in end-user security awareness training was inadequate, but most felt their investments in other components of their security program were adequate.
  • When asked what actions were taken following a security incident, 22 percent of respondents stated that they notified individuals whose personal information was breached and 17% stated that they provided new security services to users or customers.
  • When asked what security solutions ranked highest on their wishlists, many respondents named tools that would improve their visibility—better log management, security information and event management, security data visualization, security dashboards and the like.
  • Respondents generally said that regulatory compliance efforts have had a positive effect on their organization’s security programs.

Your security strategy should introduce and promote a defense in-depth mindset, meaning that your defenses should overlap and support one another.  Defense in depth is about protecting against threats that are already being protected against, just in case the primary protection fails.  Defense in depth is the reason why there is a lock on your safety deposit box, and also a lock on the door to the safety deposit box room, as well as a lock on the doors of the bank itself.  Defense in depth is why you wear your seat belt even though the car is equipped with air bags, built from strong metals, and designed to crumple in a specific manner on impact.  It’s why, when you put away a gun, you set the safety on, remove the ammunition, and lock up the gun case.